Hello everyone,
I fiddled around a bit more with my Displaylink device, and here's what I
found so far (posted as a sort of reference, and maybe to help start a
discussion):
Content of transfers:
- All image data is sent as bulk transfers.
- The driver sends two big blocks during the setup phase. I suspected that the
first one is the firmware, as it's always the same size regardless of image
content, but a) it doesn't match any of the firmware blobs coming with the
driver and b) it's far too regular to be a firmware. I now think that it might
be the initialization for the video memory, as If that block is left out, the
device displays a ghost image of the previous framebuffer content.
- The second big block seems to be the initial framebuffer content. Its size
depends on the current image content, and changing a few bytes results in
colored garbage lines to appear, which leads me to the conclusion that some
sort of run-length encoding is used (maybe even some derivative of vnc's RFB?).
Encryption
- All bulk transfers are encrypted.
- The key is likely 16 bytes, which are sent as a control transfer. They appear
to be random, but the same 16-byte string can appear repeatedly, esp. if the
device is initialized immediately after bootup. If these 16 bytes are equal,
then all bulk transfers are also identical byte-for-byte. Changing a single
byte in this transfer causes the device to stop working.
- The bigger data blocks show a surprising regularity: every 4095 bytes,
significant portions of the blocks repeat. This can be found by comparing every
byte i with the byte at i+offset and increasing a counter if the two bytes are
equal. Do this for all offsets from 1 to n. The result is a series
of maxima at 4095 and multiples thereof.
Now, 4095 is (2^12)-1. This reminded me of something from a crypto class
from a few years back, and indeed, this kind of periodicity occurs with a
certain type of pseudo-random generators, called linear feedback shift
registers (LFSR). So it might just be possible that the encryption is a stream
cipher based on a 12-byte LFSR..
So far from me - I hope that somebody else might have some comments about this.
BTW: happy holidays, everyone :-)
Yours, Florian
--
"_Nothing_ brightens up my morning. Coffee simply provides a shade of
grey just above the pitch-black of the infinite depths of the _abyss_."